Configuring Multiple ACE Servers

8/10/2019 Configuring Multiple ACE Servers

1/5

Technical Note

Copyright 2007 VMware, Inc. All rights reserved. 1

Configuring MultipleACE Management ServersVMware ACE 2.0

ThistechnicalnotedescribeshowtoconfiguremultipleVMwareACEManagementServerstoworktogether.

VMwarerecommendsthisconfigurationforscalingACEManagementServerserviceforthousandsof

clients.See

Figure 1.

Figure 1. Two ACE Management Servers Configured to Work Together

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour

ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe

load

balancing

group,

the

number

of

clients

that

you

can

serve

will

scale

in

a

linear

fashion.

For

example,

if

youcanserve2,000clientswithoneserver,usingtwoloadbalancedserverswillallowyoutoserve4,000

clients.

Thistechnicalnoteassumesthatyouarefamiliarwiththeinstallationandconfigurationofastandalone

ACE Management Serverwithexternaldatabasesupport.Italsodescribeshowtosetuptwoormoreservers

andtheextrastepsthatarenecessarytousetheloadbalancefeature.

Thistechnicalnotecontainsthefollowingsections:

Requirementsonpage 2

InstallationofServicesonpage 2

LoadBalancingonpage 4

ACEManagement

Server 1

ACEManagement

Server 2

Active Directorydomain controller

databaseserver

loadbalancer(optional)

AMS Client

AMS Client

AMS Client

LDAPKerberos

LDAPKerberos

ODBC

ODBC

HTTPS

HTTPS

HTTPS

HTTPS

HTTPS


2/5


Configuring Multiple ACE Management Servers

Verificationonpage 4

FinalNotesonpage 5

Requirements

Tousetheinformationinthistechnicalnote,youwillneedthefollowing:

Twoormoremachines(orVirtualMachines)tohosttheACEManagementServerprocesses

AnexternaldatabasetohosttheACEManagementServerdata

Aloadbalancingsolutiontomanagetraffic

Installation of Services

InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).Configureeach

oneseparatelytoaccessthesameexternaldatabase.

YoumustuseanexternaldatabasetoconfiguremultipleACEManagementServers.BothACEManagement

Serverinstallationsmustbeabletoidentifythesamedatastoresoeitherinstallationcanfieldqueriesfor

clientsandscalethenumberofclientsthatcanbeserved.

Youcan

verify

that

both

ACE

Management

Servers

are

working

properly

by

starting

Workstation

ACE

Edition

andconnectingtoeachACEManagementServerdirectly(byIPorhostname).Youshouldseethesamedata

intheInstanceViewwindow.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceonboth

servers.

Using the Same SSL Certificate on All Servers

ThefollowingproceduredescribeshowtocopytheSSLcertificateandkeyfromoneACEManagementServer

toanother.

To copy the SSL certificate and key from one ACE Management Server to another

1 LogintoACEManagementServer1.

2 Locateboth

the

SSL

certificate

and

key

directory

files.

OnWindowsmachines,thefilesarelocatedatC:\Program Files\VMware\VMware ACE

Management Server\ssl.

OnLinuxmachines,thefilesarelocatedat\var\lib\vmware\acesc\ssl.

Thecertificatefileisserver.crt.Thekeyfileisserver.key.

3 Usescp(securecopy)tocopythefollowingfilesifyouareusingtheVirtualApplianceoftheACE

ManagementServerbyperformingthefollowingsteps:

a Enterscpuser@: user@:.

Youcanalsoenablesharedfolders(ifyouareusingVMwareWorkstationtoruntheVirtual

Appliance),and

copy

the

files

out

of

the

virtual

machine

through

the

shared

folders

feature.

b Openabrowser,andloadtheconfigurationpageforACEManagementServer2.

c ClicktheCustomSSLCertificates tab.

d SpecifythekeyfileintheServerPrivateKeyfield.

e SpecifythecertificatefileintheServerPublicCertificatefield.

f ClickUploadcertificates.

g ClickApply.

4 RestartACEManagementServer2.


3/5



Creating New SSL Certificates and Keys for Each Server

IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate

newSSLcertificatesandkeysforeachserver.Thefollowingstepsguideyouthroughtheprocessofcreating

newSSLcertificatesandkeysandinstallingthemonyourACEManagementServer.

To create new SSL certificates and keys

1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).

Theprocedurefordoingthisvariesdependingonthetoolsyouuse.Seethedocumentationforyour

platformtodeterminehowtocreatethesecertificatesandkeys.Eachcertificatemusthaveaunique

commonnameandauniqueserialnumber.

2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfile.

Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededinorderto

verifytheleafcertificate(includingtherootcertificateofthechain).

a Downloadtheverificationchainfromyourcertificateauthority.

b EachcertificatemustbeinPEMformatpriortocreatingthecertificatechainfile.ToconverttoPEM

format,usetheopenSSLtoolsavailableonline.

c Createthe

certificate

chain

file

by

concatenating

each

PEM

encoded

certificate

into

one

file.

Younowhaveacertificatechainfileforeverynewcertificatethatyouhavecreated.Forexample,ifyou

areusingtwoACEManagementServersyouwouldhavetwocertificatechainfiles.

3 Joinallofthesecertificatechainfilesintoonelargefile. Ifyoucan,eliminatetheduplicateentries.

4 ConverttheserversSSLcertificatestoPEMformat.

5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.

YouhavethreefilesthatneedtobeuploadedtoeveryACEManagementServerinyourfarm:

SSLcertificatefile

SSLkeyfile

Certificatechainfile

CompletethisprocedureforeveryACEManagementServerinyourfarmtouploadfilestoeachACE

ManagementServer.

To upload the files to the servers in your server farm

1 OpenabrowserandloadtheconfigurationpageforyourACEManagementServer.

2 ClicktheCustomSSLCertficatestab.

3 SpecifythekeyfileintheServerPrivateKeyfield.

4 SpecifythecertificatefileintheServerPublicCertificatefield.

5 Specifythe

certificate

chain

file

in

the

Server

Public

Certificate

Authentication

Chain

field.

6 ClickUploadcertificates.

7 ClickApply.

8 RestarttheACEManagementServer.


4/5



Figure 2. Creating the Certificate Chain File

i

Load Balancing

ACEManagementServerusesHTTPStocommunicatewithitsclients.Anyloadbalancingsolutionthat

supportsHTTPSshouldworkwithACEManagementServer.

Installyourloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Donotconfigureport

8080or

8000

for

load

balancing.

These

two

ports

are

used

for

configuration.

Port

8080

is

the

virtual

appliance

configurationportand8000istheACEManagementServerconfigurationport.

Verification

RestartyourWorkstationACEEditionclientbeforeverification.ThisisrequiredsothatWorkstationACE

EditionredownloadstheSSLCertificatewhenaconnectiontotheACEManagementServerisestablished.

YoushouldbeabletoconnecttoyourACEManagementServerusingtheaddressoftheloadbalancer.Create

atestACEinstanceandpreviewit.ThepreviewinstanceshouldrunandregardlessofwhichACE

ManagementServersitsrequests,youcantestthisinthefollowingway:

To test your ACE instance

1 CreateatestACEtemplate.

2 Openthepolicyeditor.

3 SelectPolicyUpdateFrequency.

4 SelectDisableOfflineUsage.

5 ClickOK.

6 RemovethefirstACEManagementServerfromyourloadbalancingconfiguration(alltrafficwillgoto

thesecondACEManagementServer).

[Root SSL Certificate in PEM format]

[Intermediary SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

convert to PEMthen append to file




certificateverification

chain

Server SSLCertificates

Certificate Chain FileRoot SSL Certificate

Intermediary SSL Certificate

ACE Management Server #1SSL Certificate

ACE Management Server #2SSL Certificate


5/5

5


VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com

2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156,6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815, 7,260,820,and 7,269,683; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the UnitedStates and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.Revision 20070919

7 PreviewthetestACE.

ThiswillcreateaninstanceontheACEManagementServer.

8 ClosetheACEPlayer.

9 RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst

ACEManagementServerbackintotheconfiguration.

AlltrafficwillgotothefirstACEManagementServernow.

10 PreviewthesameACEtemplateagain,whenpromptedwhethertoreinstantiateorreusetheinstance,

selectUseExistingInstance.

Theinstanceshouldstartsuccessfully.Iftheinstancestartssuccessfully,bothserversareusingthesame

SSLcertificate.

Final Notes

ItisalsopossibletoconfiguremultipleACEManagementServersusingdifferentcertificates,(selfsignedor

withaverificationchain).

Thestepsforthisprocedurearesimilar.Youmustcreatenewcertificatesandkeys(ordownloadthemfrom

yourCertificateAuthority).Uploadthemtoeachserver.

Anextrastepisrequiredwhenusingseparatecertificates.Createacertificatechainfile.Thecertificatechain

fileisafilethatcontainsmultiplecertificatesconcatenatedtogether(inPEMformat).Ifbothofyourcertificates

areselfsigned,yourcertificatechainfileshouldbeafilethatcontainsbothcertificatesconcatenated.Ifyou

receivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontainonlytheverification

chainforthesecertificates(whichshouldbethesame).Ifthecertificatescomefromdifferentcertificate

authorities,thechainfilemustcontainbothcertificateverificationchains.

Uploadthecertificatechainfileatthesametimethatyouuploadthecertificateandkeyfiletotheserver.

Configuring Multiple ACE Servers

Documents

Transcript of Configuring Multiple ACE Servers